CCIE.pl

site 4 CCIE wannabies
https://ccie.pl/

Asa odbiera pakiety z VPN ale nie wysyła

https://ccie.pl/viewtopic.php?f=44&t=20506

Strona 1 z 1

Asa odbiera pakiety z VPN ale nie wysyła

: 21 paź 2014, 11:48
autor: michaliwanczuk
Witam
Mam problem z VPN'em

odbieram pakiety ale nie wysyłam odp w tunel


może być pomocne

mam 2 łącza eth1 i eth2

trasa domyślna jest na eth1

ale dodałem routing do peera na eth2 oraz to co ma iść w tunel

: 21 paź 2014, 12:20
autor: czarli
Napisz cos wiecej bo moze byc wiele przyczyn...

- jaki tshoot robiles?
- wklej konfig
- na jakim urzadzeniu jest VPN?
- sh log, sh route, sh ip, sh run crypto, sh run tunnel itp...

: 21 paź 2014, 12:31
autor: michaliwanczuk
cisco 5510 wersja 9.1(3)
S 172.17.4.101 255.255.255.255 [1/0] via 217.....67, toNet
S 172.17.4.100 255.255.255.255 [1/0] via 217.....67, toNet
S 193.xxx.yyy.179 255.255.255.255 [1/0] via 217.....67, toNet
tunnel-group 193.xxx.yyy.179 type ipsec-l2l
tunnel-group 193.xxx.yyy.179 general-attributes
default-group-policy GroupPolicy2
tunnel-group 193.xxx.yyy.179 ipsec-attributes
ikev1 pre-shared-key *****

crypto map toNet_map 1 match address toNet_cryptomap_1
crypto map toNet_map 1 set pfs
crypto map toNet_map 1 set peer 193.xxx.yyy.179
crypto map toNet_map 1 set ikev1 transform-set ESP-AES-256-SHA
crypto map toNet_map 1 set security-association lifetime seconds 86400
crypto map toNet_map 1 set nat-t-disable

access-list toNet_cryptomap_1 line 1 extended permit ip host 172.20.58.10 host 172.17.4.100

sh cry is sa
4 IKE Peer: 193.xxx.yyy.179
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE


nie widzę nic w logach jedynie zwiększają mi countery

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 42, #pkts decrypt: 42, #pkts verify: 42

: 21 paź 2014, 12:56
autor: drake
Hej,
a masz wykluczenie z NAT dla tego ruchu?

Pozdruffka! ;)

: 21 paź 2014, 13:10
autor: michaliwanczuk
jak dobrze zrozumiałem to to mam takie coś

nat (toNet,any) source static 172.17.4.100 bph_172.17.4.100 destination static 172.20.58.10 172.20.58.10 unidirectional

: 21 paź 2014, 13:29
autor: LukaszM
w crypto acl masz:

Kod: Zaznacz cały

access-list toNet_cryptomap_1 line 1 extended permit ip host 172.20.58.10 host 172.17.4.100
a w nat exempt:

Kod: Zaznacz cały

nat (toNet,any) source static 172.17.4.100 bph_172.17.4.100 destination static 172.20.58.10 172.20.58.10 unidirectional
powinno byc:

Kod: Zaznacz cały

nat (toNet,any) source static obj_172.20.58.10 obj_172.20.58.10 destination static obj_172.17.4.100 obj_172.17.4.100
musisz wiec zdefiniowac dodatkowo obiekty i uwzglednic je w powyzszej regule nat

: 21 paź 2014, 13:35
autor: michaliwanczuk

Kod: Zaznacz cały

nat (toNet,any) source static obj_172.20.58.10 obj_172.20.58.10 destination static obj_172.17.4.100 obj_172.17.4.100
ale obiekt obj_172.20.58.10 jest u mnie
a
jest po drugiej stronie jest obj_172.17.4.100

: 21 paź 2014, 13:42
autor: LukaszM
ok to użyj w regule nat exempt interfejs na ktory wskazuje routing do 172.20.58.10 np inside i interfejs na ktory wskazuje routing do 172.17.4.100 np: outside

Kod: Zaznacz cały

nat (inside,outside) source static obj_172.20.58.10 obj_172.20.58.10 destination static obj_172.17.4.100 obj_172.17.4.100

: 21 paź 2014, 13:47
autor: michaliwanczuk
ma tak zrobione i nadal to nie działa jakieś jeszcze pomysły

: 21 paź 2014, 13:55
autor: LukaszM
A mozesz wkleic output z packet-tracer dla ruchu inicjowanego z twojej strony?

: 21 paź 2014, 14:01
autor: michaliwanczuk

Kod: Zaznacz cały

packet-tracer input extwaf tcp 172.20.58.10 1025 172.17.4.100 443 detailed

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xafeddf10, priority=13, domain=capture, deny=false
        hits=34249, user_data=0xaea5b478, cs_id=0x0, l3_type=0x0
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0000.0000.0000
        input_ifc=extwaf, output_ifc=any

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xacf63048, priority=1, domain=permit, deny=false
        hits=41149066, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000
        input_ifc=extwaf, output_ifc=any

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (toNet,extwaf) source static obj_172.17.4.100 obj_172.17.4.100 destination static obj-waf-vip obj-waf-vip no-proxy-arp
Additional Information:
NAT divert to egress interface toNet
Untranslate 172.17.4.100/443 to 172.17.4.100/443

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group in_extwaf in interface extwaf
access-list in_extwaf extended permit tcp object-group pota-waf object-group BPH-vpn eq https
object-group network obj-waf
 network-object 172.20.58.10 255.255.255.255
object-group network OBJ-vpn
 network-object object obj_172.17.4.100
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xafb35cc0, priority=13, domain=permit, deny=false
        hits=14, user_data=0xaa464a00, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=172.20.58.10, mask=255.255.255.255, port=0, tag=0
        dst ip/id=172.17.4.100, mask=255.255.255.255, port=443, tag=0, dscp=0x0
        input_ifc=extwaf, output_ifc=any

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (toNet,extwaf) source static bph_172.17.4.100 bph_172.17.4.100 destination static pota-waf-vip pota-waf-vip no-proxy-arp
Additional Information:
Static translate 172.20.58.10/1025 to 172.20.58.10/1025
 Forward Flow based lookup yields rule:
 in  id=0xaea0cd18, priority=6, domain=nat, deny=false
        hits=1, user_data=0xacf01668, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=172.20.58.10, mask=255.255.255.255, port=0, tag=0
        dst ip/id=172.17.4.100, mask=255.255.255.255, port=0, tag=0, dscp=0x0
        input_ifc=extwaf, output_ifc=toNet

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xacb6ff98, priority=1, domain=nat-per-session, deny=true
        hits=28610526, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xacf688e8, priority=0, domain=inspect-ip-options, deny=true
        hits=13419095, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=extwaf, output_ifc=any

Phase: 8
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xad06ffd8, priority=20, domain=lu, deny=false
        hits=116913, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=extwaf, output_ifc=any

Phase: 9
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0xafed1780, priority=70, domain=encrypt, deny=false
        hits=2, user_data=0x85e644, cs_id=0xada983f8, reverse, flags=0x0, protocol=0
        src ip/id=172.20.58.10, mask=255.255.255.255, port=0, tag=0
        dst ip/id=172.17.4.100, mask=255.255.255.255, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=toNet

Phase: 10
Type: ACCESS-LIST
Subtype: vpn-user
Result: DROP
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0xac730420, priority=12, domain=vpn-user, deny=true
        hits=38, user_data=0xaa47fa00, filter_id=0x0(-implicit deny-), protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0

Result:
input-interface: extwaf
input-status: up
input-line-status: up
output-interface: toNet
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

: 21 paź 2014, 14:17
autor: LukaszM
A nie masz czasem przypietego vpn-filtra w

Kod: Zaznacz cały

GroupPolicy2
.
Sprobuj tymczasowo wylaczyc filter i wygeneruj ruch jeszcze raz.

: 21 paź 2014, 14:30
autor: michaliwanczuk
tak mam filtr odpiłem filtr i wynik jest ten sam

Kod: Zaznacz cały

Phase: 10
Type: ACCESS-LIST
Subtype: vpn-user
Result: DROP
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0xac730420, priority=12, domain=vpn-user, deny=true
        hits=40, user_data=0xaa47fa00, filter_id=0x0(-implicit deny-), protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0

: 21 paź 2014, 14:45
autor: michaliwanczuk
zrobiłem restart vpn i pomogło dziękuję za pomoc
Strefa czasowa UTC+02:00
Strona 1 z 1

Technologię dostarcza phpBB® Forum Software © phpBB Limited

Polski pakiet językowy dostarcza phpBB.pl